Last updated · May 10, 2026

What we collect, why, and what you control.

A real privacy policy a builder will actually read. No legalese walls, no certifications we don’t have. If something here looks wrong or you want a copy of your data, email hello@coconnect.ai.

1 · The short version

We collect account info, your profile, payment info (handled by Stripe, not us), support emails, and basic analytics. We use it to run the platform, match you with people, send the emails you signed up for, and prevent abuse. You can export your data, edit it, delete your account, and opt out of marketing email anytime. We don’t sell your personal data.

2 · Who this covers

This policy covers two surfaces:

coconnect.ai — this marketing site and the waitlist signup.
app.coconnect.ai — the CoCo platform itself, once it ships.

We’re a small team. If a section talks about something that isn’t live yet (the app), we say so.

3 · What we collect

On the waitlist (today)

When you join the waitlist at /signup, we collect your name, email, the role you picked (builder, collaborator, or investor), and the intent parameter if the link you arrived from carried one. The submission is appended to a Google Sheet via a Google Apps Script web app, and the same submission triggers an email to the founders so we know you’re here. That’s the whole pipeline today — no CRM, no marketing automation, no enrichment.

In the app (going forward)

When you create a CoCo account, we collect:

Account. Email, password hash (bcrypt — we never store plain passwords), and any OAuth provider IDs you used (Google, Facebook, Microsoft) plus what those providers return: name, profile image, and a verified-email flag.
Profile. Handle, photo, optional intro video, bio, role, hours-per-week availability, experience level, skills, domains, compensation expectations, free-text answers, region or geo preference, LinkedIn URL, and — for investors — fund URL, investor thesis, investment-amount preferences, co-investor preferences, and preferred currencies and cadence.
Projects you publish. Title, description, link, and cover image.
Companies you found or join. Name, description, region, domains, stage, logo, website, and team size.
Job postings, applications, syndicate memberships, and CoCo Formed team membership or applications.
Activity. Access requests, invites sent and received, blocks, last-active timestamp, and a credibility score (a platform-computed signal, not sourced from anywhere external).
Billing. Stripe customer ID, subscription ID, tier, cadence (monthly or annual), and billing status. We do not store full card numbers — Stripe holds those.
Communications metadata. An email-deliverability flag (flipped automatically when Resend reports a bounce or complaint) and verification-email timestamps.

Automatic data

Logs and error reports, via Sentry.
Product analytics events, via PostHog — gated on cookie consent in the EU.
Performance metrics, via Vercel Speed Insights and Vercel Analytics.
Anti-bot signals via Cloudflare Turnstile on signup forms.

4 · Why we use it

The legal basis depends on what we’re doing:

Provide and operate the Service — contract.
Match builders, collaborators, and investors — contract plus legitimate interest.
Process payments — contract.
Send transactional email (sign-in links, billing, security alerts) — contract.
Product updates — consent.
Prevent fraud, abuse, and harassment; enforce blocks; protect the platform — legitimate interest.
Comply with law — legal obligation.

5 · Who we share it with

We use a short list of subprocessors to run the platform. Each one only gets what they need to do their job. We do not sell your personal data.

Provider	What they do	Where
Vercel	Hosting & serverless runtime	US
Supabase	Postgres database & realtime	Region per project; user data stored in EU/US depending on org choice
Cloudflare R2	File storage (avatars, logos, project covers in a public bucket; resumes, exports, videos in a private bucket)	Global edge
Cloudflare Turnstile	CAPTCHA / bot mitigation	Global edge
Resend	Transactional email	US
Stripe	Payments & subscriptions	US
Google, Facebook, Microsoft	OAuth sign-in	Global
Sentry	Error tracking	US / EU
PostHog	Product analytics	US (us.i.posthog.com) or EU per residency
Vercel Analytics & Speed Insights	Performance & traffic metrics	US
Google Apps Script + Google Sheets	Waitlist intake (today, pre-app-launch)	US

6 · Cookies & tracking

The marketing site (coconnect.ai) ships zero analytics or tracking scripts today. The dependency tree is just Next.js, React, and Tailwind — you can verify in our package.json. The only cookies set here are session and preference cookies if you later sign in.

In the app (app.coconnect.ai), we set:

Authentication cookies (NextAuth session).
A small preference cookie for the light/dark theme toggle.
Analytics cookies via PostHog and Vercel Analytics — consent-gated in jurisdictions that require it.

You can clear cookies anytime. Signing out invalidates the session cookie server-side via a sessionVersion bump, so old sessions can’t be replayed.

7 · How long we keep it

Active account data — as long as the account exists.
Deleted accounts — 7-day grace window during which you can cancel deletion. After the cron purge, we retain only what law or accounting requires (e.g. Stripe transaction records).
Email logs — per Resend’s defaults.
Sentry error reports — per Sentry’s defaults (typically 30–90 days).
PostHog events — per PostHog’s defaults (typically up to 7 years on US Cloud, unless we configure shorter).
Marketing unsubscribes — we keep the suppression record indefinitely so we never email you again by mistake.
Waitlist sheet rows — until we close the waitlist. You can ask us to delete sooner; just email hello@coconnect.ai.

8 · Your rights

These apply globally, even if your jurisdiction doesn’t formally require them:

Access — request a copy of what we have on you.
Correction — fix anything wrong. Most profile fields you can edit directly.
Deletion — delete your account (7-day grace) or specific content.
Portability — export your profile and projects. We’ll provide a JSON dump on request until the self-service export ships.
Opt out of marketing — unsubscribe link in any marketing email, or email us.
Object or restrict processing — email us.
Cookie consent withdrawal — clear cookies or use the in-app preference panel once it ships.
Lodge a complaint with your local data-protection authority (e.g. the ICO in the UK, or your national DPA in the EU).
California (CCPA/CPRA) — right to know, delete, correct, and opt out of “sharing.” We don’t sell personal data.

We respond within 30 days. To exercise any of these, email hello@coconnect.ai.

9 · International transfers

Our subprocessors are mostly US-based. For users in the EU or UK, we rely on Standard Contractual Clauses and equivalent transfer mechanisms where required. We’ll update this section as we formalize DPAs with each vendor.

10 · Security

We don’t claim certifications we don’t have. No SOC 2, no ISO 27001 — not yet. What we do:

Passwords stored as bcrypt hashes.
OAuth sign-in supported so you don’t have to manage another password.
HTTPS everywhere.
Database hosted on Supabase with row-level security.
Session-version invalidation so you can sign out from all devices.
CAPTCHA on signup to slow down bots.
Sentry monitors production errors; PostHog flags product issues.

No security is perfect. If a breach affects you, we’ll notify you without undue delay.

11 · Children

The Service isn’t for anyone under 18 — or under your local age of digital consent (16 in some EU countries). We don’t knowingly collect data from minors. If we learn we have, we delete it.

12 · AI features

We do not currently send user-generated content to LLM providers for any feature. If that changes, we’ll update this policy and notify users.
We do not allow our subprocessors to use your data to train their models.

13 · Email & notifications

Transactional email (sign-in links, billing, invite notifications, security alerts) is essential to the Service. You can’t fully opt out without closing your account.
Product updates and announcements are optional and opt-in. Every email has an unsubscribe link.
We honor bounces and complaints automatically — the Resend webhook flips your emailDeliverable flag.

14 · Profile visibility & search indexing

You control whether your profile is indexable by search engines via a per-user searchIndexable setting. Default is on.
Other CoCo users can find you in catalogue and search if you’re active.
Blocking another user hides you from their feed, search, and catalogue and pauses any open conversation between you.

15 · Changes to this policy

We’ll post changes with a new “last updated” date. Material changes get an email or in-app notice.

16 · Contact

For privacy questions, email hello@coconnect.ai. If you need a human escalation, our founder Sujith is at sujith@coconnect.ai.

This policy describes what we’re building and what we already do. We’re a small team — pre-launch as of May 2026 — so this will evolve. If something here looks wrong or you want a copy of your data, just email us.

Co·Connect · coconnect.ai← Back to home